Wednesday, April 15, 2009

Help stoping Confiker worm

As you might know, Confiker worm is spreading all over the world and hitting so bad, I read the architecture of the worm and it is so tricky.

 

the worm installs itself in the system by registering several DLLs files and service into the system, then it starts to downloads instructions from the internet on how to work, interact and change itself.

 

I have paid a close attention to the worm since the early days, we have been scanning our systems and network on weekly basis to isolate infected PCs and thanks god we have none, what me me write today that I read an article today indicating that baout 4.5 Million PC WW are infected with the Confiker worm.

 

below are some steps to help you protecting your network:

- Install Microsoft hotfix http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

 

- Confiker owns 250 domain per day, so you can use https://www.opendns.com/start to start blocking those domains, since they work with the IBM security research center to block access to those domains.

- use nessus http://blog.tenablesecurity.com/2009/03/detecting-conficker-with-nessus.html to scan your network, I prefer using NMAP.

 

- Finally pray and ask god to help you network.

 

Visit the Microsoft's Confiker page:

http://technet.microsoft.com/en-us/security/dd452420.aspx

 



“The information contained in this communication is intended solely for the use of the individual or entity it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this e-mail message is strictly prohibited. If you have received this message by mistake please notify the sender immediately by e-mail, destroy it and delete it from your system. The sender is neither liable for the proper and complete transmission of the information contained in this communication nor for any special, incidental or consequential damages of any nature whatsoever resulting from receipt or use of this communication”

Monday, April 13, 2009

helping OCS not to drop words, applying Voice QoS for OCS on WAN traffic

Long time I haven’t blogged, I was so busy in some new projects that burned my time.

 

I will blog about a topic I wanted to blog about it long time ago, applying the correct QoS for OCS 2007 traffic over the WAN, this has been a hot topic (at least for me) as I believe that all of voice traffic requires over WAN links.

 

I will introduce some QoS terminology in this post, and later will tell you how to apply QoS for OCS traffic.

 

Quality of Service Models

There are 3 service models:

·         Best Effort · No QoS policies are implemented

·         Integrated Services (IntServ) · Resource Reservation Protocol (RSVP) is used to reserve bandwidth per flow across all nodes in a path, uses the Resource Reservation Protocol (RSVP) to reserve network resources in advance of the data actually traveling across the network. Once the end-to-end bandwidth reservation is in place, the data is transmitted.

·         Differentiated Services (DiffServ) · Packets are individually classified and marked; policy decisions are made independently at each node in a path, DiffServ doesn't use RSVP, but instead uses hop by hop Behavior or per hop behavior (PHB) to allow each router/hop across the network to examine the packet and decide what service level it should receive.

IP QoS Markings

We currently use 2 QoS marking methods:

·         Precedence · The first three bits of the IP TOS field are evaluated; compatible with Ethernet CoS and MPLS EXP values

·         DSCP · The first six bits of the IP TOS are evaluated to provide more granular classification; backward-compatible with IP Precedence

The following table contains the Precedence Values

 

Binary

Application

7

111

Reserved

6

110

Routing

5

101

Voice

4

100

Streaming Video

3

11

Call Signaling

2

10

Transactional

1

1

Bulk Data

 

The following table lists the DSCP marking values:

Likely to be dropped

AF Class

Drop Probability

DSCP Value

Low

AF Class 1

AF11 (low)

001 01 0

AF12 (medium)

001 10 0

AF13 (high)

001 11 0

Medium

AF Class 2

AF21 (low)

010 01 0

AF22 (medium)

010 10 0

AF23 (high)

010 11 0

High

AF Class 3

AF31 (low)

011 01 0

AF32 (medium)

011 10 0

AF33 (high)

011 11 0

Very High

AF Class 4

AF41 (low)

100 01 0

AF42 (medium)

100 10 0

AF43 (high)

      100 11 0

 

How to reserve the Bandwidth:

You can use any of the following methods:

·         Policing · Creates an artificial ceiling on the amount of bandwidth that may be consumed; traffic exceeding the cap and be remarked or dropped

·         Shaping · Similar to policing but buffers excess traffic for delayed transmission; makes more efficient use of bandwidth but introduces a delay

 

Mahmoud



“The information contained in this communication is intended solely for the use of the individual or entity it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this e-mail message is strictly prohibited. If you have received this message by mistake please notify the sender immediately by e-mail, destroy it and delete it from your system. The sender is neither liable for the proper and complete transmission of the information contained in this communication nor for any special, incidental or consequential damages of any nature whatsoever resulting from receipt or use of this communication”

And MS laucnhes Microsoft Egypt Heroes

Karim Salah started several months ago the heroes imitative in Egypt, a group of the ITpros in Egypt that deliver specialized message for them, great idea from Kimo.

 

To join please visit http://www.hero-eg.com

 

Mahmoud



“The information contained in this communication is intended solely for the use of the individual or entity it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this e-mail message is strictly prohibited. If you have received this message by mistake please notify the sender immediately by e-mail, destroy it and delete it from your system. The sender is neither liable for the proper and complete transmission of the information contained in this communication nor for any special, incidental or consequential damages of any nature whatsoever resulting from receipt or use of this communication”